Nickmadd Posted July 17, 2014 Share Posted July 17, 2014 How can I make my PHP script non accessible to users? I am wanting to cron the script and don't want anybody to spam the script as it would cause performance issues if it was constantly spammed by a user. Can I put the PHP file anywhere that only the server can run it? Thanks any info would be awesome. Quote Link to comment https://forums.phpfreaks.com/topic/289957-making-a-php-script-non-accessible-to-traffic/ Share on other sites More sharing options...
trq Posted July 17, 2014 Share Posted July 17, 2014 Don't put it within your http server's document root. There is no reason it needs to be executed via http. Quote Link to comment https://forums.phpfreaks.com/topic/289957-making-a-php-script-non-accessible-to-traffic/#findComment-1485549 Share on other sites More sharing options...
fastsol Posted July 17, 2014 Share Posted July 17, 2014 Don't put it within your http server's document root. There is no reason it needs to be executed via http. The one problem that I have run into trying that method is that your paths for any included files become difficult to figure out. Plus if you're using a framework to gather a bunch of files that have critical parts being used in the cron script it's very hard to modify all those files and you really don't want to cause they are core files to the framework. So what I use is this at the very top of the cron script. This way no outside IP can run the script contents below this line, it'll just return a Invalid Request to whom ever is trying to access it. if($_SERVER["REMOTE_ADDR"] != $_SERVER["SERVER_ADDR"]) die("Invalid Request"); Quote Link to comment https://forums.phpfreaks.com/topic/289957-making-a-php-script-non-accessible-to-traffic/#findComment-1485552 Share on other sites More sharing options...
Jacques1 Posted July 17, 2014 Share Posted July 17, 2014 So what I use is this at the very top of the cron script. This way no outside IP can run the script contents below this line, it'll just return a Invalid Request to whom ever is trying to access it. if($_SERVER["REMOTE_ADDR"] != $_SERVER["SERVER_ADDR"]) die("Invalid Request"); This is a bad idea. The REMOTE_ADDR depends on the server setup and may very well be identical to the SERVER_ADDR at all times (in case of a reverse proxy, for example). While this may work as a quick hack in your specific case, it's definitely not a solution. As trq already said, place the scripts outside of the document root. If that's not possible, there's something wrong with how you use paths. Quote Link to comment https://forums.phpfreaks.com/topic/289957-making-a-php-script-non-accessible-to-traffic/#findComment-1485569 Share on other sites More sharing options...
fastsol Posted July 17, 2014 Share Posted July 17, 2014 This is a bad idea. The REMOTE_ADDR depends on the server setup and may very well be identical to the SERVER_ADDR at all times (in case of a reverse proxy, for example). Well I am far from knowledgeable with how a server really works, so touche. I guess I can't say that it's a perfect solution on my page either then, all I can test is me going to the script from my laptop and having it say Invalid Request. I don't know a single thing about a proxy. As far as the path stuff goes, I just remembered that I wasn't trying to run it outside the root but rather a directory up or 2 from the root. It gave me tons of (I think) include and require path issues cause CRON runs from a different path or something than the actual root, so it couldn't locate numerous files. Now MAYBE that's something on how my files are coded but I found many other people with the same issue. I'm always up for learning a better way Quote Link to comment https://forums.phpfreaks.com/topic/289957-making-a-php-script-non-accessible-to-traffic/#findComment-1485576 Share on other sites More sharing options...
Stefany93 Posted July 17, 2014 Share Posted July 17, 2014 Or you can lock the file with .htaccess and .htpasswd and that way no one can access it Quote Link to comment https://forums.phpfreaks.com/topic/289957-making-a-php-script-non-accessible-to-traffic/#findComment-1485597 Share on other sites More sharing options...
CroNiX Posted July 24, 2014 Share Posted July 24, 2014 Since you should be running cron jobs via cli... if (php_sapi_name() != "cli") { die('No Remote Execution'); } Quote Link to comment https://forums.phpfreaks.com/topic/289957-making-a-php-script-non-accessible-to-traffic/#findComment-1486065 Share on other sites More sharing options...
ginerjm Posted July 24, 2014 Share Posted July 24, 2014 I always specify absolute paths for things that I know are not going to move. That way they are always 'found'. I don't see it as a problem. In my std. startup logic I always set a couple of vars to be used for this purpose. This logic is included in my scripts, so should I EVER NEED to modify my paths, it's a simple change. If your task is going to reference files that are expected in some odd folder name or under some folder name, simply specify the absolute path to that folder or parent and work from there. One doesn't HAVE to rely on php's search methodology to find things.... Quote Link to comment https://forums.phpfreaks.com/topic/289957-making-a-php-script-non-accessible-to-traffic/#findComment-1486066 Share on other sites More sharing options...
fastsol Posted July 24, 2014 Share Posted July 24, 2014 Since you should be running cron jobs via cli... if (php_sapi_name() != "cli") { die('No Remote Execution'); } I tried this and variations of it while trying to setup things in the past and was not able to ever make it work. Quote Link to comment https://forums.phpfreaks.com/topic/289957-making-a-php-script-non-accessible-to-traffic/#findComment-1486068 Share on other sites More sharing options...
CroNiX Posted July 24, 2014 Share Posted July 24, 2014 I tried this and variations of it while trying to setup things in the past and was not able to ever make it work. Are you actually using the php cli from cron? Or are you doing something like using wget? Quote Link to comment https://forums.phpfreaks.com/topic/289957-making-a-php-script-non-accessible-to-traffic/#findComment-1486097 Share on other sites More sharing options...
fastsol Posted July 24, 2014 Share Posted July 24, 2014 I resorted to wget cause of the path issue i described above. So I guess because of that the cli thing may have not worked either then huh. Quote Link to comment https://forums.phpfreaks.com/topic/289957-making-a-php-script-non-accessible-to-traffic/#findComment-1486099 Share on other sites More sharing options...
CroNiX Posted July 24, 2014 Share Posted July 24, 2014 Yes, wget basically is a http wrapper calling the url like a browser would, which means it's not actually using the PHP CLI but using whatever your webserver is using, like cgi, cgi-fcgi, etc. If in crontab you used /usr/bin/php5 -q /path/to/php/script.php then it would be CLI 1 Quote Link to comment https://forums.phpfreaks.com/topic/289957-making-a-php-script-non-accessible-to-traffic/#findComment-1486100 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.